--- /dev/null
+From dc08c58696f8555e4a802f1f23c894a330d80ab7 Mon Sep 17 00:00:00 2001
+From: Johannes Kimmel <kernel@bareminimum.eu>
+Date: Wed, 19 Mar 2025 22:49:00 +0100
+Subject: btrfs: correctly escape subvol in btrfs_show_options()
+
+From: Johannes Kimmel <kernel@bareminimum.eu>
+
+commit dc08c58696f8555e4a802f1f23c894a330d80ab7 upstream.
+
+Currently, displaying the btrfs subvol mount option doesn't escape ','.
+This makes parsing /proc/self/mounts and /proc/self/mountinfo
+ambiguous for subvolume names that contain commas. The text after the
+comma could be mistaken for another option (think "subvol=foo,ro", where
+ro is actually part of the subvolumes name).
+
+Replace the manual escape characters list with a call to
+seq_show_option(). Thanks to Calvin Walton for suggesting this approach.
+
+Fixes: c8d3fe028f64 ("Btrfs: show subvol= and subvolid= in /proc/mounts")
+CC: stable@vger.kernel.org # 5.4+
+Suggested-by: Calvin Walton <calvin.walton@kepstin.ca>
+Signed-off-by: Johannes Kimmel <kernel@bareminimum.eu>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/super.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/fs/btrfs/super.c
++++ b/fs/btrfs/super.c
+@@ -1380,8 +1380,7 @@ static int btrfs_show_options(struct seq
+ subvol_name = btrfs_get_subvol_name_from_objectid(info,
+ BTRFS_I(d_inode(dentry))->root->root_key.objectid);
+ if (!IS_ERR(subvol_name)) {
+- seq_puts(seq, ",subvol=");
+- seq_escape(seq, subvol_name, " \t\n\\");
++ seq_show_option(seq, "subvol", subvol_name);
+ kfree(subvol_name);
+ }
+ return 0;
--- /dev/null
+From bb5e07cb927724e0b47be371fa081141cfb14414 Mon Sep 17 00:00:00 2001
+From: Vasiliy Kovalev <kovalev@altlinux.org>
+Date: Sat, 19 Oct 2024 22:13:03 +0300
+Subject: hfs/hfsplus: fix slab-out-of-bounds in hfs_bnode_read_key
+
+From: Vasiliy Kovalev <kovalev@altlinux.org>
+
+commit bb5e07cb927724e0b47be371fa081141cfb14414 upstream.
+
+Syzbot reported an issue in hfs subsystem:
+
+BUG: KASAN: slab-out-of-bounds in memcpy_from_page include/linux/highmem.h:423 [inline]
+BUG: KASAN: slab-out-of-bounds in hfs_bnode_read fs/hfs/bnode.c:35 [inline]
+BUG: KASAN: slab-out-of-bounds in hfs_bnode_read_key+0x314/0x450 fs/hfs/bnode.c:70
+Write of size 94 at addr ffff8880123cd100 by task syz-executor237/5102
+
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:377 [inline]
+ print_report+0x169/0x550 mm/kasan/report.c:488
+ kasan_report+0x143/0x180 mm/kasan/report.c:601
+ kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
+ __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106
+ memcpy_from_page include/linux/highmem.h:423 [inline]
+ hfs_bnode_read fs/hfs/bnode.c:35 [inline]
+ hfs_bnode_read_key+0x314/0x450 fs/hfs/bnode.c:70
+ hfs_brec_insert+0x7f3/0xbd0 fs/hfs/brec.c:159
+ hfs_cat_create+0x41d/0xa50 fs/hfs/catalog.c:118
+ hfs_mkdir+0x6c/0xe0 fs/hfs/dir.c:232
+ vfs_mkdir+0x2f9/0x4f0 fs/namei.c:4257
+ do_mkdirat+0x264/0x3a0 fs/namei.c:4280
+ __do_sys_mkdir fs/namei.c:4300 [inline]
+ __se_sys_mkdir fs/namei.c:4298 [inline]
+ __x64_sys_mkdir+0x6c/0x80 fs/namei.c:4298
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7fbdd6057a99
+
+Add a check for key length in hfs_bnode_read_key to prevent
+out-of-bounds memory access. If the key length is invalid, the
+key buffer is cleared, improving stability and reliability.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot+5f3a973ed3dfb85a6683@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=5f3a973ed3dfb85a6683
+Cc: stable@vger.kernel.org
+Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
+Link: https://lore.kernel.org/20241019191303.24048-1-kovalev@altlinux.org
+Reviewed-by: Cengiz Can <cengiz.can@canonical.com>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/hfs/bnode.c | 6 ++++++
+ fs/hfsplus/bnode.c | 6 ++++++
+ 2 files changed, 12 insertions(+)
+
+--- a/fs/hfs/bnode.c
++++ b/fs/hfs/bnode.c
+@@ -70,6 +70,12 @@ void hfs_bnode_read_key(struct hfs_bnode
+ else
+ key_len = tree->max_key_len + 1;
+
++ if (key_len > sizeof(hfs_btree_key) || key_len < 1) {
++ memset(key, 0, sizeof(hfs_btree_key));
++ pr_err("hfs: Invalid key length: %d\n", key_len);
++ return;
++ }
++
+ hfs_bnode_read(node, key, off, key_len);
+ }
+
+--- a/fs/hfsplus/bnode.c
++++ b/fs/hfsplus/bnode.c
+@@ -69,6 +69,12 @@ void hfs_bnode_read_key(struct hfs_bnode
+ else
+ key_len = tree->max_key_len + 2;
+
++ if (key_len > sizeof(hfsplus_btree_key) || key_len < 1) {
++ memset(key, 0, sizeof(hfsplus_btree_key));
++ pr_err("hfsplus: Invalid key length: %d\n", key_len);
++ return;
++ }
++
+ hfs_bnode_read(node, key, off, key_len);
+ }
+
--- /dev/null
+From 424eafe65647a8d6c690284536e711977153195a Mon Sep 17 00:00:00 2001
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Date: Mon, 7 Apr 2025 17:33:34 -0300
+Subject: i2c: cros-ec-tunnel: defer probe if parent EC is not present
+
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+
+commit 424eafe65647a8d6c690284536e711977153195a upstream.
+
+When i2c-cros-ec-tunnel and the EC driver are built-in, the EC parent
+device will not be found, leading to NULL pointer dereference.
+
+That can also be reproduced by unbinding the controller driver and then
+loading i2c-cros-ec-tunnel module (or binding the device).
+
+[ 271.991245] BUG: kernel NULL pointer dereference, address: 0000000000000058
+[ 271.998215] #PF: supervisor read access in kernel mode
+[ 272.003351] #PF: error_code(0x0000) - not-present page
+[ 272.008485] PGD 0 P4D 0
+[ 272.011022] Oops: Oops: 0000 [#1] SMP NOPTI
+[ 272.015207] CPU: 0 UID: 0 PID: 3859 Comm: insmod Tainted: G S 6.15.0-rc1-00004-g44722359ed83 #30 PREEMPT(full) 3c7fb39a552e7d949de2ad921a7d6588d3a4fdc5
+[ 272.030312] Tainted: [S]=CPU_OUT_OF_SPEC
+[ 272.034233] Hardware name: HP Berknip/Berknip, BIOS Google_Berknip.13434.356.0 05/17/2021
+[ 272.042400] RIP: 0010:ec_i2c_probe+0x2b/0x1c0 [i2c_cros_ec_tunnel]
+[ 272.048577] Code: 1f 44 00 00 41 57 41 56 41 55 41 54 53 48 83 ec 10 65 48 8b 05 06 a0 6c e7 48 89 44 24 08 4c 8d 7f 10 48 8b 47 50 4c 8b 60 78 <49> 83 7c 24 58 00 0f 84 2f 01 00 00 48 89 fb be 30 06 00 00 4c 9
+[ 272.067317] RSP: 0018:ffffa32082a03940 EFLAGS: 00010282
+[ 272.072541] RAX: ffff969580b6a810 RBX: ffff969580b68c10 RCX: 0000000000000000
+[ 272.079672] RDX: 0000000000000000 RSI: 0000000000000282 RDI: ffff969580b68c00
+[ 272.086804] RBP: 00000000fffffdfb R08: 0000000000000000 R09: 0000000000000000
+[ 272.093936] R10: 0000000000000000 R11: ffffffffc0600000 R12: 0000000000000000
+[ 272.101067] R13: ffffffffa666fbb8 R14: ffffffffc05b5528 R15: ffff969580b68c10
+[ 272.108198] FS: 00007b930906fc40(0000) GS:ffff969603149000(0000) knlGS:0000000000000000
+[ 272.116282] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 272.122024] CR2: 0000000000000058 CR3: 000000012631c000 CR4: 00000000003506f0
+[ 272.129155] Call Trace:
+[ 272.131606] <TASK>
+[ 272.133709] ? acpi_dev_pm_attach+0xdd/0x110
+[ 272.137985] platform_probe+0x69/0xa0
+[ 272.141652] really_probe+0x152/0x310
+[ 272.145318] __driver_probe_device+0x77/0x110
+[ 272.149678] driver_probe_device+0x1e/0x190
+[ 272.153864] __driver_attach+0x10b/0x1e0
+[ 272.157790] ? driver_attach+0x20/0x20
+[ 272.161542] bus_for_each_dev+0x107/0x150
+[ 272.165553] bus_add_driver+0x15d/0x270
+[ 272.169392] driver_register+0x65/0x110
+[ 272.173232] ? cleanup_module+0xa80/0xa80 [i2c_cros_ec_tunnel 3a00532f3f4af4a9eade753f86b0f8dd4e4e5698]
+[ 272.182617] do_one_initcall+0x110/0x350
+[ 272.186543] ? security_kernfs_init_security+0x49/0xd0
+[ 272.191682] ? __kernfs_new_node+0x1b9/0x240
+[ 272.195954] ? security_kernfs_init_security+0x49/0xd0
+[ 272.201093] ? __kernfs_new_node+0x1b9/0x240
+[ 272.205365] ? kernfs_link_sibling+0x105/0x130
+[ 272.209810] ? kernfs_next_descendant_post+0x1c/0xa0
+[ 272.214773] ? kernfs_activate+0x57/0x70
+[ 272.218699] ? kernfs_add_one+0x118/0x160
+[ 272.222710] ? __kernfs_create_file+0x71/0xa0
+[ 272.227069] ? sysfs_add_bin_file_mode_ns+0xd6/0x110
+[ 272.232033] ? internal_create_group+0x453/0x4a0
+[ 272.236651] ? __vunmap_range_noflush+0x214/0x2d0
+[ 272.241355] ? __free_frozen_pages+0x1dc/0x420
+[ 272.245799] ? free_vmap_area_noflush+0x10a/0x1c0
+[ 272.250505] ? load_module+0x1509/0x16f0
+[ 272.254431] do_init_module+0x60/0x230
+[ 272.258181] __se_sys_finit_module+0x27a/0x370
+[ 272.262627] do_syscall_64+0x6a/0xf0
+[ 272.266206] ? do_syscall_64+0x76/0xf0
+[ 272.269956] ? irqentry_exit_to_user_mode+0x79/0x90
+[ 272.274836] entry_SYSCALL_64_after_hwframe+0x55/0x5d
+[ 272.279887] RIP: 0033:0x7b9309168d39
+[ 272.283466] Code: 5b 41 5c 5d c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d af 40 0c 00 f7 d8 64 89 01 8
+[ 272.302210] RSP: 002b:00007fff50f1a288 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
+[ 272.309774] RAX: ffffffffffffffda RBX: 000058bf9b50f6d0 RCX: 00007b9309168d39
+[ 272.316905] RDX: 0000000000000000 RSI: 000058bf6c103a77 RDI: 0000000000000003
+[ 272.324036] RBP: 00007fff50f1a2e0 R08: 00007fff50f19218 R09: 0000000021ec4150
+[ 272.331166] R10: 000058bf9b50f7f0 R11: 0000000000000246 R12: 0000000000000000
+[ 272.338296] R13: 00000000fffffffe R14: 0000000000000000 R15: 000058bf6c103a77
+[ 272.345428] </TASK>
+[ 272.347617] Modules linked in: i2c_cros_ec_tunnel(+)
+[ 272.364585] gsmi: Log Shutdown Reason 0x03
+
+Returning -EPROBE_DEFER will allow the device to be bound once the
+controller is bound, in the case of built-in drivers.
+
+Fixes: 9d230c9e4f4e ("i2c: ChromeOS EC tunnel driver")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Cc: <stable@vger.kernel.org> # v3.16+
+Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
+Link: https://lore.kernel.org/r/20250407-null-ec-parent-v1-1-f7dda62d3110@igalia.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-cros-ec-tunnel.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/i2c/busses/i2c-cros-ec-tunnel.c
++++ b/drivers/i2c/busses/i2c-cros-ec-tunnel.c
+@@ -247,6 +247,9 @@ static int ec_i2c_probe(struct platform_
+ u32 remote_bus;
+ int err;
+
++ if (!ec)
++ return dev_err_probe(dev, -EPROBE_DEFER, "couldn't find parent EC device\n");
++
+ if (!ec->cmd_xfer) {
+ dev_err(dev, "Missing sendrecv\n");
+ return -EINVAL;
--- /dev/null
+From 0405d4b63d082861f4eaff9d39c78ee9dc34f845 Mon Sep 17 00:00:00 2001
+From: Edward Adam Davis <eadavis@qq.com>
+Date: Fri, 4 Apr 2025 13:31:29 +0800
+Subject: isofs: Prevent the use of too small fid
+
+From: Edward Adam Davis <eadavis@qq.com>
+
+commit 0405d4b63d082861f4eaff9d39c78ee9dc34f845 upstream.
+
+syzbot reported a slab-out-of-bounds Read in isofs_fh_to_parent. [1]
+
+The handle_bytes value passed in by the reproducing program is equal to 12.
+In handle_to_path(), only 12 bytes of memory are allocated for the structure
+file_handle->f_handle member, which causes an out-of-bounds access when
+accessing the member parent_block of the structure isofs_fid in isofs,
+because accessing parent_block requires at least 16 bytes of f_handle.
+Here, fh_len is used to indirectly confirm that the value of handle_bytes
+is greater than 3 before accessing parent_block.
+
+[1]
+BUG: KASAN: slab-out-of-bounds in isofs_fh_to_parent+0x1b8/0x210 fs/isofs/export.c:183
+Read of size 4 at addr ffff0000cc030d94 by task syz-executor215/6466
+CPU: 1 UID: 0 PID: 6466 Comm: syz-executor215 Not tainted 6.14.0-rc7-syzkaller-ga2392f333575 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
+Call trace:
+ show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C)
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:408 [inline]
+ print_report+0x198/0x550 mm/kasan/report.c:521
+ kasan_report+0xd8/0x138 mm/kasan/report.c:634
+ __asan_report_load4_noabort+0x20/0x2c mm/kasan/report_generic.c:380
+ isofs_fh_to_parent+0x1b8/0x210 fs/isofs/export.c:183
+ exportfs_decode_fh_raw+0x2dc/0x608 fs/exportfs/expfs.c:523
+ do_handle_to_path+0xa0/0x198 fs/fhandle.c:257
+ handle_to_path fs/fhandle.c:385 [inline]
+ do_handle_open+0x8cc/0xb8c fs/fhandle.c:403
+ __do_sys_open_by_handle_at fs/fhandle.c:443 [inline]
+ __se_sys_open_by_handle_at fs/fhandle.c:434 [inline]
+ __arm64_sys_open_by_handle_at+0x80/0x94 fs/fhandle.c:434
+ __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
+ invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
+ el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
+ do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
+ el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
+ el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
+ el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
+
+Allocated by task 6466:
+ kasan_save_stack mm/kasan/common.c:47 [inline]
+ kasan_save_track+0x40/0x78 mm/kasan/common.c:68
+ kasan_save_alloc_info+0x40/0x50 mm/kasan/generic.c:562
+ poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
+ __kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:394
+ kasan_kmalloc include/linux/kasan.h:260 [inline]
+ __do_kmalloc_node mm/slub.c:4294 [inline]
+ __kmalloc_noprof+0x32c/0x54c mm/slub.c:4306
+ kmalloc_noprof include/linux/slab.h:905 [inline]
+ handle_to_path fs/fhandle.c:357 [inline]
+ do_handle_open+0x5a4/0xb8c fs/fhandle.c:403
+ __do_sys_open_by_handle_at fs/fhandle.c:443 [inline]
+ __se_sys_open_by_handle_at fs/fhandle.c:434 [inline]
+ __arm64_sys_open_by_handle_at+0x80/0x94 fs/fhandle.c:434
+ __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
+ invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
+ el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
+ do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
+ el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
+ el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
+ el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
+
+Reported-by: syzbot+4d7cd7dd0ce1aa8d5c65@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=4d7cd7dd0ce1aa8d5c65
+Tested-by: syzbot+4d7cd7dd0ce1aa8d5c65@syzkaller.appspotmail.com
+CC: stable@vger.kernel.org
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Edward Adam Davis <eadavis@qq.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Link: https://patch.msgid.link/tencent_9C8CB8A7E7C6C512C7065DC98B6EDF6EC606@qq.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/isofs/export.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/isofs/export.c
++++ b/fs/isofs/export.c
+@@ -180,7 +180,7 @@ static struct dentry *isofs_fh_to_parent
+ return NULL;
+
+ return isofs_export_iget(sb,
+- fh_len > 2 ? ifid->parent_block : 0,
++ fh_len > 3 ? ifid->parent_block : 0,
+ ifid->parent_offset,
+ fh_len > 4 ? ifid->parent_generation : 0);
+ }
--- /dev/null
+From 71dcc11c2cd9e434c34a63154ecadca21c135ddd Mon Sep 17 00:00:00 2001
+From: Dapeng Mi <dapeng1.mi@linux.intel.com>
+Date: Tue, 15 Apr 2025 10:41:35 +0000
+Subject: perf/x86/intel: Allow to update user space GPRs from PEBS records
+
+From: Dapeng Mi <dapeng1.mi@linux.intel.com>
+
+commit 71dcc11c2cd9e434c34a63154ecadca21c135ddd upstream.
+
+Currently when a user samples user space GPRs (--user-regs option) with
+PEBS, the user space GPRs actually always come from software PMI
+instead of from PEBS hardware. This leads to the sampled GPRs to
+possibly be inaccurate for single PEBS record case because of the
+skid between counter overflow and GPRs sampling on PMI.
+
+For the large PEBS case, it is even worse. If user sets the
+exclude_kernel attribute, large PEBS would be used to sample user space
+GPRs, but since PEBS GPRs group is not really enabled, it leads to all
+samples in the large PEBS record to share the same piece of user space
+GPRs, like this reproducer shows:
+
+ $ perf record -e branches:pu --user-regs=ip,ax -c 100000 ./foo
+ $ perf report -D | grep "AX"
+
+ .... AX 0x000000003a0d4ead
+ .... AX 0x000000003a0d4ead
+ .... AX 0x000000003a0d4ead
+ .... AX 0x000000003a0d4ead
+ .... AX 0x000000003a0d4ead
+ .... AX 0x000000003a0d4ead
+ .... AX 0x000000003a0d4ead
+ .... AX 0x000000003a0d4ead
+ .... AX 0x000000003a0d4ead
+ .... AX 0x000000003a0d4ead
+ .... AX 0x000000003a0d4ead
+
+So enable GPRs group for user space GPRs sampling and prioritize reading
+GPRs from PEBS. If the PEBS sampled GPRs is not user space GPRs (single
+PEBS record case), perf_sample_regs_user() modifies them to user space
+GPRs.
+
+[ mingo: Clarified the changelog. ]
+
+Fixes: c22497f5838c ("perf/x86/intel: Support adaptive PEBS v4")
+Signed-off-by: Dapeng Mi <dapeng1.mi@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250415104135.318169-2-dapeng1.mi@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/events/intel/ds.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/events/intel/ds.c
++++ b/arch/x86/events/intel/ds.c
+@@ -985,8 +985,10 @@ static u64 pebs_update_adaptive_cfg(stru
+ * + precise_ip < 2 for the non event IP
+ * + For RTM TSX weight we need GPRs for the abort code.
+ */
+- gprs = (sample_type & PERF_SAMPLE_REGS_INTR) &&
+- (attr->sample_regs_intr & PEBS_GP_REGS);
++ gprs = ((sample_type & PERF_SAMPLE_REGS_INTR) &&
++ (attr->sample_regs_intr & PEBS_GP_REGS)) ||
++ ((sample_type & PERF_SAMPLE_REGS_USER) &&
++ (attr->sample_regs_user & PEBS_GP_REGS));
+
+ tsx_weight = (sample_type & PERF_SAMPLE_WEIGHT) &&
+ ((attr->config & INTEL_ARCH_EVENT_MASK) ==
+@@ -1569,7 +1571,7 @@ static void setup_pebs_adaptive_sample_d
+ regs->flags &= ~PERF_EFLAGS_EXACT;
+ }
+
+- if (sample_type & PERF_SAMPLE_REGS_INTR)
++ if (sample_type & (PERF_SAMPLE_REGS_INTR | PERF_SAMPLE_REGS_USER))
+ adaptive_pebs_save_regs(regs, gprs);
+ }
+
--- /dev/null
+From 96a720db59ab330c8562b2437153faa45dac705f Mon Sep 17 00:00:00 2001
+From: Kan Liang <kan.liang@linux.intel.com>
+Date: Wed, 16 Apr 2025 07:24:24 -0700
+Subject: perf/x86/intel/uncore: Fix the scale of IIO free running counters on SNR
+
+From: Kan Liang <kan.liang@linux.intel.com>
+
+commit 96a720db59ab330c8562b2437153faa45dac705f upstream.
+
+There was a mistake in the SNR uncore spec. The counter increments for
+every 32 bytes of data sent from the IO agent to the SOC, not 4 bytes
+which was documented in the spec.
+
+The event list has been updated:
+
+ "EventName": "UNC_IIO_BANDWIDTH_IN.PART0_FREERUN",
+ "BriefDescription": "Free running counter that increments for every 32
+ bytes of data sent from the IO agent to the SOC",
+
+Update the scale of the IIO bandwidth in free running counters as well.
+
+Fixes: 210cc5f9db7a ("perf/x86/intel/uncore: Add uncore support for Snow Ridge server")
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250416142426.3933977-1-kan.liang@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/events/intel/uncore_snbep.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/arch/x86/events/intel/uncore_snbep.c
++++ b/arch/x86/events/intel/uncore_snbep.c
+@@ -4220,28 +4220,28 @@ static struct uncore_event_desc snr_unco
+ INTEL_UNCORE_EVENT_DESC(ioclk, "event=0xff,umask=0x10"),
+ /* Free-Running IIO BANDWIDTH IN Counters */
+ INTEL_UNCORE_EVENT_DESC(bw_in_port0, "event=0xff,umask=0x20"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port0.scale, "3.814697266e-6"),
++ INTEL_UNCORE_EVENT_DESC(bw_in_port0.scale, "3.0517578125e-5"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port0.unit, "MiB"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port1, "event=0xff,umask=0x21"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port1.scale, "3.814697266e-6"),
++ INTEL_UNCORE_EVENT_DESC(bw_in_port1.scale, "3.0517578125e-5"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port1.unit, "MiB"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port2, "event=0xff,umask=0x22"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port2.scale, "3.814697266e-6"),
++ INTEL_UNCORE_EVENT_DESC(bw_in_port2.scale, "3.0517578125e-5"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port2.unit, "MiB"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port3, "event=0xff,umask=0x23"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port3.scale, "3.814697266e-6"),
++ INTEL_UNCORE_EVENT_DESC(bw_in_port3.scale, "3.0517578125e-5"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port3.unit, "MiB"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port4, "event=0xff,umask=0x24"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port4.scale, "3.814697266e-6"),
++ INTEL_UNCORE_EVENT_DESC(bw_in_port4.scale, "3.0517578125e-5"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port4.unit, "MiB"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port5, "event=0xff,umask=0x25"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port5.scale, "3.814697266e-6"),
++ INTEL_UNCORE_EVENT_DESC(bw_in_port5.scale, "3.0517578125e-5"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port5.unit, "MiB"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port6, "event=0xff,umask=0x26"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port6.scale, "3.814697266e-6"),
++ INTEL_UNCORE_EVENT_DESC(bw_in_port6.scale, "3.0517578125e-5"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port6.unit, "MiB"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port7, "event=0xff,umask=0x27"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port7.scale, "3.814697266e-6"),
++ INTEL_UNCORE_EVENT_DESC(bw_in_port7.scale, "3.0517578125e-5"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port7.unit, "MiB"),
+ { /* end: all zeroes */ },
+ };
--- /dev/null
+From adf53771a3123df99ca26e38818760fbcf5c05d0 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Wed, 9 Apr 2025 14:24:46 -0700
+Subject: riscv: Avoid fortify warning in syscall_get_arguments()
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit adf53771a3123df99ca26e38818760fbcf5c05d0 upstream.
+
+When building with CONFIG_FORTIFY_SOURCE=y and W=1, there is a warning
+because of the memcpy() in syscall_get_arguments():
+
+ In file included from include/linux/string.h:392,
+ from include/linux/bitmap.h:13,
+ from include/linux/cpumask.h:12,
+ from arch/riscv/include/asm/processor.h:55,
+ from include/linux/sched.h:13,
+ from kernel/ptrace.c:13:
+ In function 'fortify_memcpy_chk',
+ inlined from 'syscall_get_arguments.isra' at arch/riscv/include/asm/syscall.h:66:2:
+ include/linux/fortify-string.h:580:25: error: call to '__read_overflow2_field' declared with attribute warning: detected read beyond size of field (2nd parameter); maybe use struct_group()? [-Werror=attribute-warning]
+ 580 | __read_overflow2_field(q_size_field, size);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ cc1: all warnings being treated as errors
+
+The fortified memcpy() routine enforces that the source is not overread
+and the destination is not overwritten if the size of either field and
+the size of the copy are known at compile time. The memcpy() in
+syscall_get_arguments() intentionally overreads from a1 to a5 in
+'struct pt_regs' but this is bigger than the size of a1.
+
+Normally, this could be solved by wrapping a1 through a5 with
+struct_group() but there was already a struct_group() applied to these
+members in commit bba547810c66 ("riscv: tracing: Fix
+__write_overflow_field in ftrace_partial_regs()").
+
+Just avoid memcpy() altogether and write the copying of args from regs
+manually, which clears up the warning at the expense of three extra
+lines of code.
+
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Dmitry V. Levin <ldv@strace.io>
+Fixes: e2c0cdfba7f6 ("RISC-V: User-facing API")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250409-riscv-avoid-fortify-warning-syscall_get_arguments-v1-1-7853436d4755@kernel.org
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/include/asm/syscall.h | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/arch/riscv/include/asm/syscall.h
++++ b/arch/riscv/include/asm/syscall.h
+@@ -67,8 +67,11 @@ static inline void syscall_get_arguments
+ unsigned long *args)
+ {
+ args[0] = regs->orig_a0;
+- args++;
+- memcpy(args, ®s->a1, 5 * sizeof(args[0]));
++ args[1] = regs->a1;
++ args[2] = regs->a2;
++ args[3] = regs->a3;
++ args[4] = regs->a4;
++ args[5] = regs->a5;
+ }
+
+ static inline void syscall_set_arguments(struct task_struct *task,
nfsd-constify-fh-argument-of-knfsd_fh_hash.patch
nfs-move-nfs_fhandle_hash-to-common-include-file.patch
nfs-add-missing-selections-of-config_crc32.patch
+btrfs-correctly-escape-subvol-in-btrfs_show_options.patch
+hfs-hfsplus-fix-slab-out-of-bounds-in-hfs_bnode_read_key.patch
+i2c-cros-ec-tunnel-defer-probe-if-parent-ec-is-not-present.patch
+isofs-prevent-the-use-of-too-small-fid.patch
+riscv-avoid-fortify-warning-in-syscall_get_arguments.patch
+virtiofs-add-filesystem-context-source-name-check.patch
+perf-x86-intel-allow-to-update-user-space-gprs-from-pebs-records.patch
+perf-x86-intel-uncore-fix-the-scale-of-iio-free-running-counters-on-snr.patch
--- /dev/null
+From a94fd938df2b1628da66b498aa0eeb89593bc7a2 Mon Sep 17 00:00:00 2001
+From: Xiangsheng Hou <xiangsheng.hou@mediatek.com>
+Date: Mon, 7 Apr 2025 19:50:49 +0800
+Subject: virtiofs: add filesystem context source name check
+
+From: Xiangsheng Hou <xiangsheng.hou@mediatek.com>
+
+commit a94fd938df2b1628da66b498aa0eeb89593bc7a2 upstream.
+
+In certain scenarios, for example, during fuzz testing, the source
+name may be NULL, which could lead to a kernel panic. Therefore, an
+extra check for the source name should be added.
+
+Fixes: a62a8ef9d97d ("virtio-fs: add virtiofs filesystem")
+Cc: <stable@vger.kernel.org> # all LTS kernels
+Signed-off-by: Xiangsheng Hou <xiangsheng.hou@mediatek.com>
+Link: https://lore.kernel.org/20250407115111.25535-1-xiangsheng.hou@mediatek.com
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fuse/virtio_fs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/fuse/virtio_fs.c
++++ b/fs/fuse/virtio_fs.c
+@@ -1206,6 +1206,9 @@ static int virtio_fs_get_tree(struct fs_
+ struct fuse_conn *fc;
+ int err;
+
++ if (!fsc->source)
++ return invalf(fsc, "No source specified");
++
+ /* This gets a reference on virtio_fs object. This ptr gets installed
+ * in fc->iq->priv. Once fuse_conn is going away, it calls ->put()
+ * to drop the reference to this object.
projects / thirdparty / kernel / stable-queue.git / commitdiff
